Support TSAs other than sigstore/timestamp-authority

[haydentherapper]

RFC3161 does not define a specification for the API path of a TSA, only standardizing the input and output as timestamp request and response structures. The Sigstore TSA implementation defines the path to request timestamps as api/v1/timestamp.

As discussed in https://github.com/sigstore/sigstore-go/pull/187, the current timestamp authority client, which comes from generated code in sigstore/timestamp-authority, only supports the Sigstore TSA implementation. When a URL is provided to the client, it is truncated to only the URL host, and then the API path above is appended.

In order to support arbitrary TSAs, we need to use a custom client that a) uses the provide URL with both the host and path, b) takes in a timestamp request, and c) parses a returned timestamp response.

We have implemented this already in Cosign as part of https://github.com/sigstore/cosign/pull/2708:

• https://github.com/sigstore/cosign/blob/main/internal/pkg/cosign/tsa/client/client.go for the client
• https://github.com/sigstore/cosign/blob/main/internal/pkg/cosign/tsa/mock/mock_tsa_client.go for a mocked client for testing
• https://github.com/sigstore/cosign/blob/main/internal/pkg/cosign/tsa/signer.go#L38-L45 as an example of this being used

I would recommend we upstream this client to sigstore/timestamp-authority or duplicate it in sigstore/sigstore-go.

[steiza]

This was fixed with https://github.com/sigstore/sigstore-go/pull/202